ESC1 Report Flag Pre-requisites - False / True Positive

[heartburn-dev]

Hi all,

Little bit of a weird one, that I can't quite confirm myself yet, and don't want to give poor information in a remediation suggestion. I have an engagement where ESC1 and ESC4 are reported. ESC4 is self explanatory, due to the ACLs, but the ESC1 doesn't appear to be part of the eligible enrollment groups.

    Permissions
      Enrollment Permissions
        Enrollment Rights               : TEST.NET\EXAMPLE_MACHINE
                                          TEST.NET\Enterprise Admins
      Object Control Permissions
        Owner                           : TEST.NET\User_DA
        Full Control Principals         : TEST.NET\Domain Admins
                                          TEST.NET\Authenticated Users
        Write Owner Principals          : TEST.NET\Enterprise Admins
                                          TEST.NET\User_DA
                                          TEST.NET\Domain Admins
                                          TEST.NET\Authenticated Users
        Write Dacl Principals           : TEST.NET\Enterprise Admins
                                          TEST.NET\User_DA
                                          TEST.NET\Domain Admins
                                          TEST.NET\Authenticated Users
        Write Property Principals       : TEST.NET\Enterprise Admins
                                          TEST.NET\User_DA
                                          TEST.NET\Domain Admins
                                          TEST.NET\Authenticated Users
    [!] Vulnerabilities
      ESC1                              : 'TEST.NET\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC4                              : 'TEST.NET\\Authenticated Users' has dangerous permissions

Surprisingly, ESC1 still worked without me making modifications to the certificate via ESC4, but I'm keen to understand where the logic check is in the code. Is it simply that FullControl is akin to allowing enrollment? I note #226 but this seems slightly different, as it wasn't a FP, but isn't listed in enrollment rights.

It looks like the decision to include/not include a user in the Enrollment Rights section is here:

Certipy/certipy/commands/find.py

Line 1017 in 2780d53

def can_user_enroll_in_template(self, template: LDAPEntry):

Where one of these then, must be evaluating to true:

            if (
                EXTENDED_RIGHTS_NAME_MAP["All-Extended-Rights"]
                in rights["extended_rights"]
                or EXTENDED_RIGHTS_NAME_MAP["Enroll"] in rights["extended_rights"]
                or CERTIFICATE_RIGHTS.GENERIC_ALL in rights["rights"]
            ):

So my guess is that the CERTIFICATE_RIGHTS.GENERIC_ALL in rights["rights"] is true due to:

class CERTIFICATE_RIGHTS(IntFlag):
    GENERIC_ALL = 983551
    WRITE_OWNER = 524288
    WRITE_DACL = 262144
    WRITE_PROPERTY = 32

    def to_list(self):
        cls = self.__class__

        if self._value_ == self.GENERIC_ALL:
            return [CERTIFICATE_RIGHTS(self.GENERIC_ALL)]

Which causes the vulnerability to flag (due to FullControl), but no "Authenticated Users" to show in the enroll field.